Twitter About To Be Hit With A ~$250 Million Fine For Using Your Two Factor Authentication Phone Numbers/Emails For Marketing

from the good dept

There are many things that big internet companies do that the media have made out to be scandals that aren’t — but one misuse of data that I think received too little attention was how both Facebook and later Twitter were caught using the phone numbers people gave it for two factor authentication, and later used them for notification/marketing purposes.

In case you’re somehow unaware, two-factor authentication is how you should protect your most important accounts. I know many people are too lazy to set it up, but please do so. It’s not perfect (Twitter’s recent big hack routed around 2FA protections), but it is many times better than just relying on a username and password. In the early days of 2FA, one common way to implement it was to use text messaging as the second factor. That is, when you tried to login on a new machine (or after a certain interval of time), the service would have to text you a code that you would need to enter to prove that you were you.

Over time, people realized that this method was less secure. Many hacks involved people “SIM swapping” (using social engineering to have your phone number ported over to them), and then getting the 2FA code sent to the hacker. These days, good 2FA usually involves using an authenticator app, like Google Authenticator or Twilio’s Authy or even better a physical key such as the Yubikey or Google’s Titan Key. However, many services and users have stuck with text messaging for 2FA because it’s the least complex for users — and the issue with any security practice is that if it’s not user-friendly, no one will use it, and that doesn’t do any good either.

But using phone numbers given for 2FA purposes for notifications or marketing is really bad. First of all, it undermines trust — which is the last thing you want to do when dealing with a security mechanism. People handed over these phone numbers/emails for a very specific and delineated reason: to better protect their account. To then share that phone number or email with the marketing team is a massive violation in trust. And it serves to undermine the entire concept of two factor authentication, in that many users will become less willing to make use of 2FA, fearing how the numbers might be abused.

As we noted when Facebook received the mammoth $5 billion fine from the FTC a year ago, while the media focused almost entirely on the Cambridge Analytica situation as the reason for the fine, if you actually read the FTC’s settlement documents, it was other things that really caused the FTC to move, including Facebook’s use of 2FA phone numbers for marketing. We were glad that Facebook got punished for that.

And now it’s Twitter’s turn. Twitter has revealed that the FTC is preparing to fine the company $150 million to $250 million for this practice — noting that it violated the terms of an earlier consent decree with the FTC in 2011, where the company promised not to mislead users about how it handled personal information. Yet, for years, Twitter used the phone numbers and emails provided for 2FA to help target ads (basically using the phone number/email as an identifier for targeting).

There’s no explanation for this other than really bad handling of data at Twitter, and the company should be punished for it. There are many things I think Twitter gets unfairly blamed for, but a practice like this is both bad and dangerous, and I’m all for large fines from the FTC to convince companies to never do this kind of thing again.

Filed Under: , , , , , , ,
Companies: twitter

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Twitter About To Be Hit With A ~$250 Million Fine For Using Your Two Factor Authentication Phone Numbers/Emails For Marketing”

Subscribe: RSS Leave a comment
34 Comments
Koby (profile) says:

Parable Time

There’s no explanation for this other than really bad handling of data at Twitter, and the company should be punished for it.

Once upon a time, a scorpion approached the bank of a river, looking to cross. The scorpion saw a nearby frog, and asked, "Hey there Mr. Frog, can you help me across the river? I can ride on your back!" And the frog replied, "No, I don’t want to give you a ride on my back. You’ll sting me." The scorpion denied it, saying "No I won’t. If I sting you in the middle of the river, I’ll drown too." So the frog agreed.

The scorpion climbed onto the frog’s back, and the frog swam across the river at the top surface, keeping the scorpion dry and above water. But when they got to around halfway, the scorpion stung the frog with its poisonous tail.

As the frog slowed down, struggling to stay above water, the poison filling his veins, and death becoming apparent, the frog asked "Why did you sting me, scorpion? Now we will both die in the river."

And the scorpion replied, "I tried not to, but I couldn’t help it. I’m a scorpion!"

Uriel-238 (profile) says:

Re: That stupid scorpion parable

It is my nature may explain why a mother with starving children will steal food, but it doesn’t explain well the ill behaviors of a ten-billion dollar company, and tends rather to imply a failure of upper management, or at worst, a poor business model.

The scorpion in this case don a fucking cork on its stinger, or hire a turtle. Or take some don’t-sting-the-frog lessons. But instead not only does he die with the frog, but no future frogs will trust future scorpions in need.

Seattle Rex (profile) says:

Re: Re: Parable Time

you not only think this is original and clever to invoke (it’s not)

No, what’s unique and clever is attacking and arguing with someone over something they so obviously never said. What’s unique and clever is implying bad faith where none was evident to anyone else, and what’s unique and clever is being an asshat for no other reason that it’s the Internet.

It’s literally the first time each and every one of these things has been done. Congratulations on staying original.

catsmoke (profile) says:

Re: Parable Time

I couldn’t help it. I’m a scorpion!

What is the reasoning behind this so-called parable? It makes no sense.

Does the illustration mean to imply that some bad actors should be excused for their wrongdoing, due to their inherent wicked natures?

That’s a blaming-the-victim paradigm.

I’ve heard this parable over and over again, during my lifetime, and it’s always seemed to be pure foolishness.

PaulT (profile) says:

Re: Re: Parable Time

"Does the illustration mean to imply that some bad actors should be excused for their wrongdoing, due to their inherent wicked natures?"

I’ve always read it as being "certain types of creatures are just evil and should be avoided, don’t be surprised when they act evil if you’re dumb enough to trust them".

Which, depending on how you read it can have some disturbing connotations in general life.

Seattle Rex (profile) says:

Re: Re: Parable Time

I’ve heard this parable over and over again, during my lifetime, and it’s always seemed to be pure foolishness.

It takes a measure of abstract thinking to get ones like this. Abstract thinking, at least in it’s most commonly-acknowledged forms, begins at an IQ somewhere around 110. This Is a full standard deviation above the average US national IQ of 98.

There are no doubt plenty of people confused by it. They tend to be bamboozled by parables like this, and read into them all kinds of things that were never intended. You are doing that here. Some of you desperately want a straw man to attack so badly, that you’re creating it out of all kind of non-strawman things.

This does not imply "blaming" the victim or anything of the like. That’s a creation of your own mind. Break free from the buzzword salesmen, those people who promise salvation if only you return the favor and fail to point out their hypocrisy.

Jut say no to their temptations and false rewards of absolution.

Jason says:

Not wanting voicemail/text message spam is the main reason I’ve avoided turning on 2FA for several online accounts that offer it, despite knowing the security advantages.

It’s definitely bad that Twitter was doing something that undermined trust. But to me, the underlying problem is only grazed:

noting that it violated the terms of an earlier consent decree…where the company promised not to mislead users about how it handled personal information.

In many of the cases I’ve avoided 2FA, it’s because the terms of service explicitly state that the cell phone number I provide can and will be used for marketing purposes, and that by providing it I am consenting. I don’t, so I don’t.

So, yes, what they were doing was bad. But it sounds like they’re getting fined because they weren’t following their stated promise not to, not because of the inherent badness of the behavior itself.

Anonymous Anonymous Coward (profile) says:

Re: Re:

I concur with your analysis, but the reason I don’t use 2FA is that I don’t have a phone, cell or landline. I don’t need one, and 2FA isn’t a good enough reason for the expense or other inconveniences that come along with having one. But there are reasons to use 2FA, for instance I have a gmail account (one I got a long time ago) but if I want another one, I have to be able to receive a text message for authentication. Apparently, in the past, there were Internet based sms sights that would satisfy this need, but no longer, Google has disallowed these.

So if a service were to require 2FA, they will be without my business, and as you point out, it isn’t necessary to lack a phone to have a reason to opt out of 2FA.

Anonymous Anonymous Coward (profile) says:

Re: Re: Re: Re:

The reviews for Google Authenticator and Twilio’s Authy both present issues. Maybe they will mature and become better.

I have thought about the Yubi key, but I am not sure the hassle is worth it. I use a password manager, with very strong and very obscure passwords that are easily changed, though visiting each site and finding the place to change passwords is a pain.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re: Re:2 Re:

The reviews for Google Authenticator and Twilio’s Authy both present issues. Maybe they will mature and become better.

Google Authenticator uses TOTP, a standard protocol. There are various compatible programs, or you can use a few lines of python (plus the pyopt module):
import pyotp
totp = pyotp.TOTP(key)
print(totp.now())

You just need to get ‘key’ in base32 format, e.g. by reading it from a file or piping it from your password manager. The key will be given by the service that wants you to enroll in 2FA (it might be in QR-code form). It’s not quite a second factor if the manager has both secrets, but it should satisfy any site requiring this form of 2FA.

PaulT (profile) says:

Re: Re: Re:2 Re:

"I use a password manager, with very strong and very obscure passwords that are easily changed,"

Which, of course, makes it so that you have no backup protection in the unlikely event you have been compromised. It’s good practice, but if either the site you log into gets compromised or the password manage site itself is compromised, you won’t have any way of stopping abuse until after it’s happened.

It’s up to you whether you trust the 2FA method you choose and accept the downsides of each (and none is perfect), but I’d personally recommend having the sites where you have your most important data stored be set up to at least inform you when someone’s logged in if not require 2FA. Better to be annoyed by the occasional demand for a second factor to be confirmed than find out that someone had access to your data when a site compromise is announced days or weeks after it’s been breached.

Anonymous Anonymous Coward (profile) says:

Re: Re: Re:3 Re:

The password manager I use is passwordsafe, originally by Bruce Schneier and now maintained by others. It does not use a website, it has a self contained database, which I rename and number by version. They stopped making a Linux build but there is a clone by Marc Deslauriers called passafe which reads the same file types, you just need to copy your database to the correct folder (/home/user/.local/share/pasaffe/) and rename it passaffe.psafe3.

I also use SpiderOak cloud backup (recommended by Edward Snowden and is fully encrypted), and the SpiderOak_Hive system which syncs between machines set up for it (Even the Windows side of my dual boot laptop) so I never actually could loose my database, though I came close recently as various updates put my protections askew. My savior was that I also had a copy on my Android tablet which is not on SpiderOak. I hard link the passafe database to the Hive and make a copy that is renamed for use with the Windows/Android versions, and then backed up to the cloud and other Hive instances. That way, I have the same database everywhere, though the transfer to the Android tablet is manual.

nasch (profile) says:

Re: Re: Re:5 Re:

It doesn’t matter how good your password is if their database gets compromised.

If you are referring to your password getting stolen from their database, any remotely competent admins will ensure that this does not matter. So hopefully you’ll be OK anyway. If you mean other personal information getting compromised server side, 2FA doesn’t help with that either.

It’s good practice, but if.. the password manage site itself is compromised, you won’t have any way of stopping abuse until after it’s happened.

The password storage will be encrypted, possibly with multiple passes, and hopefully a very strong password. You could hand an attacker your password file and user name, and they should be able to do nothing useful with it. You will have at minimum many trillions of years to change your passwords before they’re able to brute force it.

https://scrambox.com/article/brute-force-aes/

PaulT (profile) says:

Re: Re: Re:6 Re:

"If you are referring to your password getting stolen from their database, any remotely competent admins will ensure that this does not matter"

That’s a reasonably large assumption with some companies. How many times do you read about some unencrypted stash being leaked or plaintext details left on the open web? I regularly get emails from haveibeenpwned.com regarding leaks, some of them years after the event.

"If you mean other personal information getting compromised server side, 2FA doesn’t help with that either."

I simply mean that if your password is compromised in some way and someone logged in successfully, you at least get informed with 2FA, whereas without it you won’t know until they have done whatever they want in your account without it.

"The password storage will be encrypted, possibly with multiple passes, and hopefully a very strong password."

Based on a number of assumptions that don’t hold true for every site. Sure, if you’re careful the risk is minimal, but we constantly hear of things like this:

https://www.vice.com/en_us/article/qvy9k7/facebook-hundreds-of-millions-user-passwords-plaintext-data-leak

Sure, supposedly the passwords weren’t visible to anyone outside of Facebook in that case, but no password manager will help you if the site you’re logging in to allows people to view plain text passwords. 2FA will.

In the above case, all it takes is for some other part of Facebook to be compromised in a way that allowed the plain text to be viewed (or a corrupt employee leaking the list to external bad actors), and someone’s logging into your account without you knowing about it until after the damage is done.

It’s simply worth putting extra protection into place for anything important and not depend on a single type of security. Sure, it’s unlikely that my decently maintained car driven within normal limits will have a crash, but I still wear a seatbelt in case something happens beyond my control.

nasch (profile) says:

Re: Re: Re:7 Re:

How many times do you read about some unencrypted stash being leaked or plaintext details left on the open web?

All the time, but usually not plain text passwords. That Facebook issue is pretty awful though. I hope I’m not being naive about how many places might log a plain text password.

Based on a number of assumptions that don’t hold true for every site.

What password manager stores passwords unencrypted?

It’s simply worth putting extra protection into place for anything important and not depend on a single type of security.

I completely agree, I just wanted to push back a bit on how vulnerable passwords and password managers are (generally, with a significant caveat of proper password security).

PaulT (profile) says:

Re: Re: Re:8 Re:

"I hope I’m not being naive about how many places might log a plain text password."

Well, it’s always better to be safe than sorry. You would hope that anywhere you’re trusting with your data is better than that, but there’s no accounting for incompetence and/or corrupt employees. There are a great many examples where even the most basic security procedures you would hope be in place have not been there, and you can’t trust that you’ll find out of a company’s problems before someone else has exploited them.

"What password manager stores passwords unencrypted?"

Hopefully none, but again it’s down to having a layer of extra security should the one you mainly depend on fail.

I’m not saying that badly secured password managers are common nor that every company you deal with is likely to have a problem as big as Facebook’s was. Only that there’s no harm in having the extra security and it’s always good to have notification of when the main security method you rely upon is breached, especially if that notification method also prevents the attacker from getting past the login screen on a successful password entry.

Seattle Rex (profile) says:

Re: Re: Re:5 Re:

<b>OK, that’s very good, though it still won’t protect you from your account on any website getting compromised on the server end. It doesn’t matter how good your password is if their database gets compromised.</b>

Wait, I know you!

https://www.nydailynews.com/resizer/otMpBO682HEELHriNSsX6yZ28IY=/1200×0/arc-anglerfish-arc2-prod-tronc.s3.amazonaws.com/public/RPMJ3ZO2FS2JV4DPKM2L6FP47A.jpg

Seattle Rex (profile) says:

Re: Re:

So, yes, what they were doing was bad. But it sounds like they’re getting fined because they weren’t following their stated promise not to, not because of the inherent badness of the behavior itself.

Do you guys bend over backward to not understand things, or is this genuine?

They promised not to after the FTC declared the behavior "bad" 9 years ago. Its "badness" underlines the entire set of exchanges between the FTC and Twitter.

I can’t wait to read the next comment. I expect something like:

"So, what I think this means is this that the scorpion was a misogynist and the frog was a racist. The snail wasn’t even mentioned because they is transgender, so the bottom line is the whole thing is about sexually assaulting ostriches."

I mean, why not. I means what you want it to mean I guess.

good grief

Anonymous Coward says:

The Facebook 2FA abuse was particularly bad. I have a bad habit of replying to automated messages for catharsis. Turns out that when Facebook decided it was a good idea to text alerts of status updates from friends it decided were important to you, it also decided that any replies to said text would then be posted on said status update under your account. Had a fun time explaining THAT one to my friend.

This comment has been flagged by the community. Click here to show it.

Rishfib (user link) says:

how to know if a chinese girl likes you

Choosing A Photo For Your online dating service Personal Ad

internet surveys suggest that you will receive up to ten times more responses than without a picture! If you contact a person and your profile is without a photo you will be pushed to receive a response back. Would you look at a profile that didn’t have an image, not really. directly for me if I see a dating profile without a picture, I start jumping to <a href=https://www.bestbrides.net/signs-that-vietnamese-women-like-you/>how to tell if a vietnamese girl likes you</a> ideas like the girl must be fat, or perhaps ugly etc.

When selecting a photo for your online dating ad you need to start thinking about a few things. First off there are several single parents out there, citizens. Dating photos with your child might sound like a cute thing to do, but am not for a dating ad. When you use a child in your personal ad you are sending a message that you need someone to take care of your child and you. Another mistake is using pictures within your pet. to heart it just looks cheesy to use a photo with your bird or dog on a dating profile.

Then you will find the big shot who needs to show how rich he is so he uses a photo of him next to his Mercedes Benz 500 SL. A word of advice for the guys, Girls don’t care about what kind of car you drive, Nearly as much as they care about your qualities. turn it down a bit you will still meet more people.

Online Dating sites enable you to have a couple of photo in your ad, So to make use of. It gives the person looking at your ad more of what you look like if you ad more than one photo. you might want smile in the image, Don’t look angry or irritated. Iv’e seen some personal ads with pictures that appear to be prison mug shots, bad. The last impression you will want to give is an unhappy one.

make sure that you smile, Nothing works better than a someone smiling, It’s a inviting than a serious pose. Try to look natural in the photo you use for your dating person, Posed pic look so boring, So go regarding that natural look. the greatest tip I can suggest is to have with this, don’t get overly worried. Be yourself and your personality will glow the dating profile. Happy dating site.
[—-]

Rishpyb (user link) says:

how to tell if a vietnamese woman likes you

Dating Online methods to Dress Up for the Club

When we focus on the club, unfortunately we cannot mean the math club, golf wedge or gentlemen’s club. This is any type of club that has a doorman out front and where promoters stage "working days" located on. in other words, This is the kind of place that a lot of guys try to abstain, But exactly how hot girls in short skirts dancing, Still merits many potential customers. So whether the community is kind of alien to you or not, you ought to exercise diligence, Especially if you want to stop paying those hot girls in short skirts. Here are essential dating online tips to help you out.

Skip dressing in your nicest threads

yes,that’s right, we know, We know where else you will too wear that awesome looking weekend outfit? But you have to note that it’s going to sweaty in there. And to be honest, Nobody is really going to rate that nice cashmere sports coat, specially in a club’s lighting.

Avoid being dressed in black

This may seem hasty, But you need to consider that clubs tend to be bedecked with UV light bulbs, Making black clothes look brownish and ugly. that’s saying nothing of dandruff. however, Gray is best worn to hide sweat, And blue looks always great in bed.

Don’t register your coat

Go with something that can take the heat inside while not having to go through the long coat check line. Try putting on a lightweight blazer or leather jacket. the extra pockets your jacket has, The more likelihood fewer sweat stains.

Know the neighborhood

the reason is because a night club’s institutional etiquette can depend on geography, that also varies widely. for example, you could be wearing the "Right workout shoes" In rhode island and the doorman knows it. But in las vegas, is going to be better if you came in square toes you got from Payless. For a more secure bet, Ditch those workout shoes and go for footwear that "recover with age, Like shoes or boots, Moccasins or most things that isn’t white.

be aware of the club

Each club is different different dress codes, crowd, Or chilling. some on-line research can go a long way towards you being dressed <a href=https://www.bestbrides.net/signs-that-vietnamese-women-like-you/>how to tell if a vietnamese woman likes you</a> inappropriately.

you have got to, Under any considerations, refrain from wearing sunglasses

Only Jack Nicholson will get a pass, and maybe Kanye West. But our dating on the internet tips say this whole concept is downright obnoxious. higher, Wearing sunglasses in a low light environment will only stop you from knowing if a woman is attractive upon first glance. most likely, If she’s talking to you at this time, Meaning you from a club, Sweating and wearing dark glasses, She is not likely.
[—-]

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...